1. o health information technology management o for being medicaid-funded health care professionals...

1

o Health Information Technology Managemento For being Medicaid-funded health care

professionalso For working on program integrity

2

• Medicaid Inspector General: James C. Cox

• Former Regional Inspector General for the HHS Office of the Inspector General

• Two decades of Medicaid auditing experience

• Auditor by trade3

o Introduction to OMIGo The Big Questiono Wrap Up

4

5

o Established in 2006 as an independent program integrity entity within the Department of Health (DOH).

o Our mission: To enhance the integrity of the New York State Medicaid program by preventing and detecting fraudulent, abusive and wasteful practices in the Medicaid program and recovering improperly expended Medicaid funds while promoting high-quality patient care.

6

OMIG consists of seven core components:oDivision of Medicaid AuditoDivision of Medicaid InvestigationsoDivision of Technology and Business AutomationoDivision of AdministrationoOffice of CounseloBureau of ComplianceoOffice of Agency Coordination and Communications

7

OMIG is organized into Business Line Teams (BLTs):oManaged Care oMedical Services in an Educational Setting oHome and Community Care Services oHospital and Outpatient Clinic Services oMental Health, Chemical Dependence, and Developmental Disabilities Services oPharmacy and Durable Medical Equipment oPhysicians, Dentists, and Laboratories oResidential Health Care Facilities oTransportation

8

• Great leadership: • Governor Andrew M. Cuomo • Medicaid Inspector General Jim C. Cox

• Advanced Tools:• Cutting-edge data analysis and visualization

tools• Industry leading practices:

• Transparency• Compliance• Data mining• Investigations• Audits• Cost-saving activities

• Terrific staff• Partnerships with the program integrity

community in New York and beyond• That includes you!

Governor Cuomo

9

10

I am sure you all know what HIT is – information technology that is health-related. It can be a great timesaver – if implemented

correctly.

11

o Webster’s II New College Dictionary defines integrity as: o Firm adherence to a code or standard of values:

probityo The state of being unimpaired: soundnesso The quality or condition of being undivided:

completeness

12

To answer the question – let’s look at one of the classics of information technology and

learn a little from it…

13

14

o You know the story –o Two kids walking through the foresto Want to make sure they do not get lost

15

o They leave a trail of breadcrumbs.

o That’s supposed to help them find their way home.

o Pretty simple.

16

o A bird comes along and eats the breadcrumbs.

o Hansel and Gretel have a pretty traumatic experience.

o In the end, they barely escape back to their family.

17

o The story you just heard is the second and third act of the Hansel and Gretel story.

o Most folks don’t know about act one.o Act one paints a picture of a different Hansel.

18

o In act one – Hansel goes into the forest and lays down a trail of white stones that he collected before the trip.

o Guess what:o The bird doesn’t eat the stones.o Hansel gets back home without a problem!

19

o When he goes into the forest in act two he lays down a trail of breadcrumbs. Why?

o He was prevented from gathering the stones like the first time.o He was unprepared.o He was in a rush.o He was confronted with adversity.

20

o Unprepared. Rushed. Done under adverse conditions.

o For folks who have had trouble with HIT implementations – does any of this sound familiar?

21

o Let me tell you another story – this one’s from real life.

o This one involves three transportation companies.

22

o Three different transportation companies were audited and the records from the three companies looked identical.

o Turned out they all used the same vendor for their electronic recordkeeping system

23

o Upon auditing them, we realized they had no paper records – just records in an archaic database.

o Reason: They hired Ellen* as an employee who built a custom database.

o They disposed of all paper records after the information was entered.

*- more on Ellen in a minute.

24

o Heard about Ellen’s system from company #1. They hired Ellen as a consultant to install the system for them as well.

o They destroyed their records as well.

25

o Heard about how much success companies #1 and #2 were having and decided to adopt the Ellen database.

o They hired Ellen as a consultant – and then destroyed their records.

26

o Ellen, it turns out, was not an IT professional. She operated out of company #1’s dispatch area.

o She did the best she could, but she built the system with no controls. Records could be altered at any time – for any reason.

o Only she knew how it operated. Only she knew how to fix it.

27

o All three companies made a series of bad choices. But as things broke down there was a cascading effect.

o Worst of all, all backup documentation was destroyed, which, to an auditor’s eye, means services cannot be verified.

o This opens up an organization to a lot of potential adverse consequences.

28

o How to prevent an Ellen event:o Keep complete medical recordso Signatures (physical or electronic)o Excluded providerso Medical necessityo “Cloned” noteso Computer securityo Defense mechanismso HIPAA and other privacy concernso Other agencies involved in program integrity

29

o Records must reflect care plano Records must match coding and submitted billingo Records must be contemporaneous, up-to-date,

and not recreated in any formo Records must be signed (more on that later) and

dated after each section is completed

30

o Be Prepared:o Recordset lockso Strong controlso Access restricted on a need-to-know basiso Backup, backup, backupo Base it on standards. Not Ellen.

31

o Get it right. Don’t rush:o Plan, plan, and plan againo Manage your implementation

o Strong IT project management is a best practice

o Design for success and stick to your guns

32

o Buy-in from managemento Standards-based systems

o Make sure information is transferrable from one platform to another.

o Be realistic about conditions, not idealistic.

33

o Signatures may be handwritten or electronic.o If electronic, must be password-protectedo Electronic signature does not consist of just a typed-

in nameo Electronic signature must “freeze” that section of

record – no changes are allowed unless a separate addendum is completed

o Each signature must also include a date

34

o Not acceptable: signature stamps, “dictated but not read,” unsigned records

o Unsigned orders not recognizedo No provider may sign for another providero Records must be signed as soon as possible

35

o Providers who have been excluded from Medicaid or Medicare may not bill, order, or prescribe for patients covered by Medicaid or Medicare.

o If excluded providers perform services for Medicaid or Medicare recipients, they will not be paid.

o All potential employees must be checked against state and federal lists for exclusions.

36

o Medical necessity requires the judgment of skilled medical professionals.

o A physician’s assessment and determination may not be challenged if the judgment is clearly documented in the medical record (see stones #1, 2, and 3).

o CMS indicates that medical documentation must “contain sufficient, accurate information” to support the diagnoses and justify treatment and procedures, among other criteria.

37

o Caution: The movement toward electronic health records (EHRs) has led to a new problem: copied and templated documentation, referred to as “cloned” notes.

o These notes lose their uniqueness when so much of the information appears to be the same from patient to patient.

o Government and commercial payers are looking at this issue and, in some instances, refusing to pay for services when it appears that documentation is the same for every note for the same patient.

38

o Information Week reported on May 23, 2012 that two state Medicaid agencies experienced major data breaches in less than a month.

o The weak link: employees.o South Carolina: 228,435 Medicaid beneficiaries compromised.o Utah: 780,000 Medicaid records stolen; approximately 280,000 of

those had their Social Security numbers compromised.o Massachusetts Hospital Association paid $750,000 settlement for

2010 data breach of information for 800,000 individuals (eWeek.com, May 30, 2012)

39

o Health care organizations moving toward the use of cloud-based applications accessed over the Internet:o Recent Harris interactive survey revealed that almost

60 percent of CIOs in health care systems with EHRs and health information exchange said they planned to invest in cloud-based open systems.”

o Cloud-based systems can be valuable—as long as security is in place.

40

o Standard Web browsers contain security gapso Keep anti-virus protection up-to-dateo Install all security patcheso Back up materialso Limit the aggregation of data—strike an appropriate balance

between employees’ need to use data and a security policyo Marketers are spying on Internet users, especially social media

sites (e.g., Facebook, Twitter, YouTube)

41

o What are your policies and procedures?o What is your compliance program as it relates to health

information technology?o Who is your compliance officer? o What would you do in the event of a breach at your

facility or organization?o Who’s chipping away at your stones?

42

o Health Insurance Portability and Accountability Act: Is this just a phrase that you take for granted?

o Focus on:o Individual controlo Transparencyo Respect for contexto Securityo Access and accuracyo Focused collectiono Accountability

43

o Yes, there is integrity in Health IT, but only if you are prepared, working within a plan and in control.

o After more than 20 years of auditing health organizations I can tell you these rules apply both inside and outside of Health IT.

44

45

o You are on the frontlines of an amazing transformation.

o You are building a new world.o You are creating new systems never before seen.

46

o You are professionals with important choices.o Integrity will only be built-in if you build it.o Management and maintenance will only happen

if you are a part of it.o We don’t want breadcrumbs, after all. We want

a path we can trust. We all want solid records.

47

o Join our listserv; receive information about upcoming events (sign-up information on OMIG home page)

o Follow us on Twitter: NYSOMIGo Linked Ino Dedicated e-mail address: information@omig.ny.govo Audit reports, positive reports and protocolso Excluded provider listo And much more on http://www.omig.ny.govo Talk to us…we want to hear what you have to say.

48

o Thanks for taking program integrity seriously.

o Thanks for listening.o Thanks for participating in Medicaid.o Thanks for working with us to improve

program integrity.

49

James C. CoxMedicaid Inspector General

New York State Office of the Medicaid Inspector General800 North Pearl Street

Albany, NY 12204518-473-3782

50